Google was caught bypassing privacy settings in Safari last week, and now …

Google was caught last week bypassing default privacy settings in the Safari browser in order to serve up tracking cookies. The company claimed the situation was an accident and limited only to the Safari Web browser, but today Microsoft claimed Google is doing much the same thing with Internet Explorer.

In a blog post titled "Google bypassing user privacy settings" Microsoft's IE Corporate Vice President Dean Hachamovitch states that "When the IE team heard that Google had bypassed user privacy settings on Safari, we asked ourselves a simple question: is Google circumventing the privacy preferences of Internet Explorer users too? We’ve discovered the answer is yes: Google is employing similar methods to get around the default privacy protections in IE and track IE users with cookies."

Hachamovitch explains that IE's default configuration blocks third-party cookies unless presented with a "P3P (Platform for Privacy Preferences Project) Compact Policy Statement" indicating that the site will not use the cookie to track the user. Microsoft accuses Google of sending a string of text that tricks the browser into thinking the cookie won't be used for tracking. "By sending this text, Google bypasses the cookie protection and enables its third-party cookies to be allowed rather than blocked," Microsoft said.

The text allegedly sent by Google actually reads "This is not a P3P policy" and includes a link to a Google page which says cookies used to secure and authenticate Google users are needed to store user preferences, and that the P3P protocol "was not designed with situations like these in mind."

Microsoft said it has contacted Google to ask the company to "commit to honoring P3P privacy settings for users of all browsers." Microsoft also updated the Tracking Protection Lists in IE9 to prevent the tracking described by Hachamovitch in the blog post. Ars has contacted Google to see if the company has any response to the Microsoft allegations, and we'll update this post if we hear back.

UPDATE: It turns out Facebook and many other sites are using an almost identical scheme to override Internet Explorer's privacy setting, according to privacy researcher Lorrie Faith Cranor at Carnegie Mellon University. "Companies have discovered that they can lie in their [P3P policies] and nobody bothers to do anything about it," Cranor wrote in a recent blog post.

UPDATE 2: Google has gotten back to us with a lengthy reply, arguing that Microsoft's reliance on P3P forces outdated practices onto modern websites, and points to a study conducted in 2010 (the Carnegie Mellon research from Cranor and her colleagues) that studied 33,000 sites and found about a third of them were circumventing P3P in Internet Explorer.

"Microsoft uses a 'self-declaration' protocol (known as 'P3P') dating from 2002 under which Microsoft asks websites to represent their privacy practices in machine-readable form," Google Senior VP of Communications and Policy Rachel Whetstone says in a statement e-mailed to Ars. "It is well known—including by Microsoft—that it is impractical to comply with Microsoft’s request while providing modern web functionality."

Facebook's "Like" button, the ability to sign into websites using your Google account "and hundreds more modern Web services" would be broken by Microsoft's P3P policy, Google says. "It is well known that it is impractical to comply with Microsoft’s request while providing this web functionality," Whetstone said. "Today the Microsoft policy is widely non-operational."

That 2010 research even calls out Microsoft's own msn.com and live.com for providing invalid P3P policy statements. The research paper further states that "Microsoft's support website recommends the use of invalid CPs as a work-around for a problem in IE."

I can't really say I'm not surprised. Google's services are free, and if you aren't being sold the product, you're the product being sold. That's how Google makes money - tracking and analysis of your actions on the web to allow their customers to provide ads that will attract you. Sure, they will come out and say "we're sorry", but the only reason it was happening in the first place was because it was there, easily exploitable, and Google, like all corporations, loves money.

Just because someone is an Android fan doesn't mean they support their policies you half wit. You see unlike Apple zealots most fans of Google wares aren't "all in" I like Android. But if this is true. Google can get bent.

I can't really say I'm not surprised. Google's services are free, and if you aren't being sold the product, you're the product being sold. That's how Google makes money - tracking and analysis of your actions on the web to allow their customers to provide ads that will attract you. Sure, they will come out and say "we're sorry", but the only reason it was happening in the first place was because it was there, easily exploitable, and Google, like all corporations, loves money.

I'm beginning to believe that Google is sitting on top of a PR powder keg. If someone at google doesn't get some sort of religion going similar to Bill Gate's "We can and must do better" security memo, they're going to see their user base begin to erode. As you point out, the user is their product. That means, to some extent, trustworthiness is an asset.

This could easily be a coding bug, i'm not defending what they are doing however it's pretty easy to let something like this slip by. The one thing i've learnt about web development is regardless of how many tests you go through IE and Safari still find ways to screw up....

I can't really say I'm not surprised. Google's services are free, and if you aren't being sold the product, you're the product being sold. That's how Google makes money - tracking and analysis of your actions on the web to allow their customers to provide ads that will attract you. Sure, they will come out and say "we're sorry", but the only reason it was happening in the first place was because it was there, easily exploitable, and Google, like all corporations, loves money.

I'm beginning to believe that Google is sitting on top of a PR powder keg. If someone at google doesn't get some sort of religion going similar to Bill Gate's "We can and must do better" security memo, they're going to see their user base begin to erode. As you point out, the user is their product. That means, to some extent, trustworthiness is an asset.

Its already started to occure. I have multiple friends who have been Google fans for years. But their *shrugs* whatever behavior as of late, and it has been as of late, is starting to wear thin. I've been willing to cut Google a lot of slack because they have not exhibited poor behavior in the past. But lately? Poor choices? Check. Arrogant behavior? Check. Not listening to their user's who scream when they HATE your policy? Check.

Yes... your browser allows Google to do something so it must be Google's fault.

These stories all irritate me. If it's a problem, doesn't that imply that hundreds of entities much more unscrupulous than Google could already be taking advantage of it?

Just like the 'Safari Issue,' this one seems more like a browser issue than a Google issue to me...

Of course if the goal is for software and browsers to be buggy and traceable and exploitable, by everyone EXCEPT for Google, or even have features that are completely optional unless you're Google, which is not allowed to compete or make a profit because Washington hates them for no reason... then maybe it all makes sense.

Along these lines, what's with the parade of 'privacy advocates' who will whine up wazoo about Facebook or Google's privacy policies and cookies, but can't be bothered to clear their cookies or, heaven forbid, use an anonymous VPN or TOR?

One thing to note is that if the P3P privacy settings standard is really that easy to circumvent, why is it a standard in the first place? A security standard completely based on involved parties acting on good faith is just asking to be broken...

Hachamovitch explains that IE's default configuration blocks third-party cookies unless presented with a "P3P (Platform for Privacy Preferences Project) Compact Policy Statement" indicating that the site will not use the cookie to track the user.

I need to understand this, so if someone could please help me, I'd appreciate it:

Let's keep this whole thing in perspective... Google is the only one getting CAUGHT! As the update to the article points out Facebook is doing the same thing. Apple and Microsoft's newest OS's are heavily based on user specific information being displayed on screen, meaning they're tracking what you're doing too.

Don't fall victim to corporate misdirection, while we cry foul about Google another IT based corporation is getting away with doing something just as bad or worse.

This could easily be a coding bug, i'm not defending what they are doing however it's pretty easy to let something like this slip by. The one thing i've learnt about web development is regardless of how many tests you go through IE and Safari still find ways to screw up....

How's about reading the article?

You can't say "bug" if what MS says is true and Google is lying about the use of the P3P policy, including a page that basically says "We're lying about how we're using the p3p cookie because it doesn't support what we want to do." Google's only defense seems to be "we put the link about how we're using it inside the cookie". Next they'll tell us they are embedding ToS inside of HTML comments and we should view page source.

Funny how all those coding bugs tend to go in the direction of giving Google more information about us.

All of their applications are built around gathering information so they can display a better advert for you, it seems fairly logical that they would legitimately have a bug that takes more than intended.

What people should really be concerned with is if google is capable of doing this who else is? Obviously this is a flaw in IE and Safari

Let's keep this whole thing in perspective... Google is the only one getting CAUGHT! As the update to the article points out Facebook is doing the same thing. Apple and Microsoft's newest OS's are heavily based on user specific information being displayed on screen, meaning they're tracking what you're doing too.

Don't fall victim to corporate misdirection, while we cry foul about Google another IT based corporation is getting away with doing something just as bad or worse.

Because all this pro-SOPA legislation supporters are launching smear campaign against Google (remember WSJ is owned by Rupert Murdoch). Google uses the exploit on Safari to make +1 work on the browser. It is not used to track users. These hired shills by Microsoft and pro-SOPA company are all flocking to techsite to condemn Google.

Some of you might find this paper, written by Bil Corry and Andy Steingruebl (employees at Paypal) which discusses some of the problems that "Do Not Track" and P3P need to overcome in regards to third-party cookies. They give a good example, where a user might visit paypal.com, but Paypal's payment system also requires a cookie from paypalobjects.com to properly function.

In Safari's default privacy setup, there's a possibility where the second "third-party" cookie isn't loaded when a user visits paypal.com. It's exactly the same problem that Google runs into for many of their sites; a visitor of google.com may not get the cookie for youtube.com, which breaks their single-sign-on system.

I still think that Google should have been more forthcoming about these issues than they have been, but I think it's obvious based on the number of sites that have used these loopholes to work around issues that there is a bigger problem here; the fight between privacy and convenience, and the fact that the technology currently in place only allows you to pick one side or another.

All of their applications are built around gathering information so they can display a better advert for you, it seems fairly logical that they would legitimately have a bug that takes more than intended.

What people should really be concerned with is if google is capable of doing this who else is? Obviously this is a flaw in IE and Safari

First Google is not displaying a better ad for me, they are displaying a better ad for the advertisers.

Second obviously a lot of people are capable of this, that's why I don't go to random porn site and warez download websites....

"The P3P specification (in an attempt to leave room for future advances in privacy policies) states that browsers should ignore any undefined policies they encounter" - so according to the actual specification, a standards-compliant browser should ignore Google's header?

Let's keep this whole thing in perspective... Google is the only one getting CAUGHT! As the update to the article points out Facebook is doing the same thing. Apple and Microsoft's newest OS's are heavily based on user specific information being displayed on screen, meaning they're tracking what you're doing too.

Don't fall victim to corporate misdirection, while we cry foul about Google another IT based corporation is getting away with doing something just as bad or worse.

Just because someone is an Android fan doesn't mean they support their policies you half wit. You see unlike Apple zealots most fans of Google wares aren't "all in" I like Android. But if this is true. Google can get bent.

Just because someone is an Apple fan doesn't mean they [always] support their policies [ad hom attack deleted].

if you have a Blogger blog you can't actually log into "yourblog.blogspot.com" without allowing 3rd party cookies so that "blogger.com" also sets a cookie. So when you allow 3rd party cookies for blogger.com, it also sets other 3rd party cookies.

Seems like MS should have some egg on their face for presuming that an invalid P3P policy statement meant to express the policy that a cookie wasn't going to be used for anything. That's just nonsensical. Would be better to act as if the P3P hasn't been presented at all. Still, Google is obviously deliberately misusing the protocol.

Let's keep this whole thing in perspective... Google is the only one getting CAUGHT! As the update to the article points out Facebook is doing the same thing. Apple and Microsoft's newest OS's are heavily based on user specific information being displayed on screen, meaning they're tracking what you're doing too.

Don't fall victim to corporate misdirection, while we cry foul about Google another IT based corporation is getting away with doing something just as bad or worse.

Yeah, look at all those *other* bad guys.

speaking of misdirection.........

I would consider that less "misdirection" and more "full disclosure". Adding in the Apple and Microsoft bits might be a bit flawed, but too many people see the headline of the story and think "Oh, Google's so evil, they're the only one who does such things!"

Google's in the wrong here, despite how wrong the actual P3P implementation is, but to say that they are the only one practicing this (Facebook was immediately identified, Amazon was sued is in the midst of a lawsuit over an invalid P3P header, and Paypal engineers call the implementation "flawed" and want an alternative) is wrong, too.

Sure, Apple and Microsoft are responsible for releasing exploitable products, but how does that fact absorb Google? By that logic, if I left my door ajar accidentally it is okay for you to come in and rob me in the middle of the night? If you don't want to be raped you should have cover yourself up... yeah, heard that one before.

As to the conjecture that of all these are bugs. Really? They happened to wrote browser specific bugs that, specifically served to a particular browser, to circumvent their privacy settings. Occam's razor, anyone?